Welcome to

Love Cloud GDPR

Thursday 2 November 2017, 09:30-12:30

Microsoft UK, Paddington, London

Love Cloud GDPR

Michael Frisby, Vuzion MD

Welcome and Introduction

A Massive

Transformation

Opportunity

Dedicated to

Partner Success

Overcoming the

challenges of our

time

Location

Identifying existing

personal data held

across the business

Governance

Managing data

subject access

rights, data storage

and use

Security

Protecting against

vulnerabilities and

breach

Reporting

For data requests,

breaches, and

accountability

Achieving GDPR Compliance

Process track

Technical track

---------------------Define the

requirement

Create the

plan

The Partner Opportunity

GDPR Webinars

GDPR Workshops

GDPR Healthcheck

GDPR Assessments

Implementation Clinics

Annuity Services

Love Cloud GDPR

09:00-09:30 REGISTRATION

09:30-09:45 Welcome & Introduction Michael Frisby, Vuzion MD

09:45-10:15 Introduction to GDPR Sean Huggett, Cybercrowd, CEO & Consultant

10:15-10:45 Microsoft and GDPR Jonathan Burnett and Samantha Garrett, Partner Technology Strategists

10:45-11:00 TermSet and GDPR Stewart Connors, Head of Customer & Partner Success

11:00-11:15 COFFEE AND PASTRIES

11:15-11:30 Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe

11:30-11:45 Mimecast and GDPR David Tweedale, Team Leader

11:45-12:00 DocuSign and GDPR Jacqueline de Gernier, AVP Commercial Sales

12:00-12:30 Panel Interview

Vuzion GDPR Support PackageClosing Thoughts

Caroline Wigley (Vuzion), Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Rowland Dexter (QGate)

Agenda

Love Cloud GDPR

Sean Huggett, Cybercrowd, CEO & Consultant

Introduction to GDPR

• Came in to force on 24th May 2016 – enforceable from 25th May 2018

• EU Regulation – has direct effect – no local legislation required

• Replaces the Data Protection Act 1998 - transposed into law from Data Protection Directive 1995

• Aims to support the digital single market and give data subjects control over their personal data

• Wide scope & coverage

• Guidance on interpretation and compliance still being developed

• UK Government has confirmed applicability in UK notwithstanding Brexit

Introduction to GDPR

Key Definitions

Data Controller

• “the natural or legal person… which … determines the purpose and means of the processing of personal data”

Data Processor

• “a natural or legal person… which processes personal data on behalf of the controller”

Data Subject

• “an identified or identifiable natural person”

Personal Data

• “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural

person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a

name, an identification number, location data….”

Processing

• “any operation or set of operations which is performed on personal data or on sets of personal data whether or

not by automated means, such as collection, recording, organisation, structuring, storage…”

Six Data Protection Principles & Accountability

• Six data protection principles – overview of your most important duties in complying with GDPR

• Introduces ‘accountability principle’ – Data Controllers responsible for being able to demonstrate compliance with the six

principles

processed lawfully, fairly and transparently

collected for specified, explicit & legitimate purposes

adequate, relevant & limited to what is necessary for processing

accurate and kept up to date

kept only for as long as is necessary for processing

processed in a manner that ensures its security

1

2

3

4

5

6

Personal Data shall be:

AC

CO

UN

TAB

ILITY

Data Subject Rights

Rights to:

• Information - think about Privacy Notices

• Access - think about Subject Access Requests

• Object to Processing

• Rectification

• Erasure – ‘right to be forgotten’

• Restrict Processing

• Data Portability

Obligations & International Transfers

Obligations

• Data Protection Officers (DPO)

• Data Protection Impact Assessments (DPIA)

• Data Protection by Design and by Default

• Controller & Processor Records

• Security of Processing

• Breach Notification

• Processor contracts with guarantees that processing will meet the requirements of GDPR

International Transfers – Restricted & Regulated – Conditions to be Met

• Basis of Adequacy

• Appropriate Safeguards

• Binding Corporate Rules (BCRs)

• International Cooperation Mechanisms: EU-US Privacy Shield

Remedies & Liabilities

Liabilities

• Administrative Fines – ‘Effective, Proportionate & Dissuasive’

o Higher of 4% of global turnover or €20m for top tier infringements

o Higher of 2% of global turnover or €10m for lower tier infringements

• Warning of likely infringement

• Reprimand for infringement

• Others, including: order data breach communication, order limitations on processing, order rectification/restriction/erasure

Data Subject Remedies

• Right to judicial remedy where their rights have been infringed as a result of the processing of personal data

• Right to compensation – data subjects who have suffered material or non-material damage

• Controller & Processor joint and several liability

• Collective claims / class-action type litigation possible – higher litigation risks

Some Practical Steps

1. Understand Personal Data You Hold:

• Data mapping – identify Personal Data held, how it was/is collected, data flows, who has access, where it is stored

etc.

• Apply the 6 Principles to the Personal Data you hold.

• Assess the risks to rights and freedoms of data subjects associated with your processing / the personal data you

hold.

• Identify transfers to 3rd countries.

2. Review 3rd Party Relationships:

• Identify your 3rd party processors.

• Review the contracts, bring them into compliance – including cloud service providers.

3. Document Your Processing Activities:

• Put the required documentation in place – records of processing activities, records of consent etc.

• Document how you comply with GDPR – demonstrate you are consistently applying best practice.

4. Apply Technical and Organisational Measures:

• Implement strong information governance measures, including policies and procedures covering:

o Data protection

o Information security

o Breach response and notification

• Adopt a ‘Cyber Resilience’ approach covering People, Process & Technology in line with best practice.

• Implement an ISMS / PIMS / Compliance Framework – apply best practice and certify where appropriate

Some Practical Steps

Thank you

Speak to a member of the Vuzion team

if you’d like to know more!

Love Cloud GDPR

Jonathan Burnett, Partner Technology Strategist

Samantha Garrett, Partner Technology Strategist

Microsoft and GDPR

What are the key changes to address the GDPR?

Personal

privacy

Controls and

notifications

Transparent

policies

IT and training

Organizations will need to:

• Train privacy personnel

& employee

• Audit and update data

policies

• Employ a Data

Protection Officer (if

required)

• Create & manage

compliant vendor

contracts

Organizations will need to:

• Protect personal data

using appropriate security

• Notify authorities of

personal data breaches

• Obtain appropriate

consents for processing

data

• Keep records detailing

data processing

Individuals have the right to:

• Access their personal

data

• Correct errors in their

personal data

• Erase their personal data

• Object to processing of

their personal data

• Export personal data

Organizations are required

to:

• Provide clear notice of

data collection

• Outline processing

purposes and use cases

• Define data retention

and deletion policies

How do I get started?

Identify what personal data you have and

where it residesDiscover1

Govern how personal data is used

and accessedManage2

Establish security controls to prevent, detect,

and respond to vulnerabilities & data breachesProtect3

Keep required documentation, manage data

requests and breach notificationsReport4

Discover:Identify what personal data you have and where it resides

In-scope:

•

•

•

•

•

•

•

•

•

•

Inventory:

•

•

•

•

•

•

•

Microsoft AzureMicrosoft Azure Data Catalog

Enterprise Mobility + Security (EMS)Microsoft Cloud App Security

Dynamics 365Audit Data & User Activity

Reporting & Analytics

Office & Office 365 Data Loss Prevention

Advanced Data Governance

Office 365 eDiscovery

SQL Server and Azure SQL Database

SQL Query Language

Windows & Windows ServerWindows Search

Example solutions

1

2

Example solutions

Manage:

Data governance:

•

•

•

•

•

•

•

•

Data classification:

•

•

•

•

•

•

•

Microsoft AzureAzure Active Directory

Azure Information Protection

Azure Role-Based Access Control (RBAC)

Enterprise Mobility + Security (EMS)Azure Information Protection

Dynamics 365Security Concepts

Office & Office 365 Advanced Data Governance

Journaling (Exchange Online)

Windows & Windows ServerMicrosoft Data Classification Toolkit

3

Example solutions

Protect:

Preventing data attacks:

•

•

•

•

•

•

•

•

Detecting & responding to breaches:

•

•

•

•

•

•

Microsoft AzureAzure Key VaultAzure Security CenterAzure Storage Services Encryption

Enterprise Mobility + Security (EMS)Azure Active Directory PremiumMicrosoft Intune

Office & Office 365 Advanced Threat ProtectionThreat Intelligence

SQL Server and Azure SQL DatabaseTransparent data encryptionAlways Encrypted

Windows & Windows ServerWindows Defender Advanced Threat ProtectionWindows HelloDevice Guard

4

Example solutions

Record-keeping:

•

•

•

•

•

Reporting tools:

•

•

•

•

•

•

Microsoft Trust CenterService Trust Portal

Microsoft AzureAzure Auditing & LoggingAzure Data LakeAzure Monitor

Enterprise Mobility + Security (EMS)Azure Information Protection

Dynamics 365Reporting & Analytics

Office & Office 365 Service AssuranceOffice 365 Audit LogsCustomer Lockbox

Windows & Windows ServerWindows Defender Advanced Threat Protection

Report:

GDPR Resources

Microsoft Whitepaper on "Beginning your GDPR Journey"

Microsoft.com/GDPR

servicetrust.microsoft.com

aka.ms/GDPRblogpost

Data Breach & GDPR Demos

Next Steps

• Determine if your customers need to be GDPR compliant. If so, act now!

• Familiarize yourself with the Microsoft GDPR Assessment Tool that you

can use to assess your customer’s readiness

• Reassure your customers that Microsoft cloud services will be compliant

with GDPR and we will share our knowledge to help them get compliant

in time for May 25, 2018.

• Learn more about the GDPR and Microsoft Security offerings.

• Identify your offerings and go-to-market strategy, using the Microsoft

Cloud.

• Pilot your services and offerings with a few customers before you go

broad.

Management

2. Data Encryption

3. Phishing Protection

4. 2 Factor Authentication

5. Cloud Application Security

6. Mobile Security

Risk Mitigation Suggestions

Love Cloud GDPR

Stewart Connors, Head of Customer & Partner Success

TermSet and GDPR

GDPRAutomate the process for discovering Personal Identifiable Information (PII)

The Challenge

External• GDPR will require all EU organisations to focus on discovering PII on behalf customers & former employees• “Subject Access Request” is not new and will continue• “Right to be Forgotten” is new & will force organisations to collect all the digital information they hold

Internal• Organisations information is held multiple IT systems• Also non approved IT systems (shadow IT/BYOD)• Information is typically held in documents that are structured and un structured• Discovering PII is currently a manual process• This will costs organisations time and money

• “Subject Access Request” Ongoing breaches & Fines• 49% of organisations had a document breach in the past 2 years*• 73% of employees are accidentally exposing information stored within documents*• 63% of organisation’s claim they are unable to locate sensitive data stored in documents*

*Information taken from the Ponemon Institute Research report May 2017.

ScanR

Generate Reports

Discover PII in Office docs, PDF, OCR on the fly.

Multiple Systems

The Solution Identify and retrieve GDPR Personal Identifiable Information within documents stored in multiple systems.

Product overview ScanR

Connect to SharePoint, a File Share or other systems

Documents where we wish to determine if they contain sensitive data

Choose the types of information you would like to discover

• Over 100 pre-defined rules or you can make your own

• Artificial Intelligence for Pattern Matching

Documents Marked in place or reports produced

Three data sources read

~19k Documents read with 79%

containing PII data

Breakdown of what PII data is

contained where

Locations of the sensitive data

Which systems contain the most

sensitive data

Overview Dashboard

Search for information across your data sources

Immediately see the records that match

Understand the types of data that contain the information

Query engine

11 Chapters with 99 Articles

http://www.eugdpr.org/article-summaries.html

ScanR will help you comply with Articles: 5, 15, 16, 17, 18, 20, 24, 30, 32, 35, 42, 44, 45.• Gain understanding of the where the PII data is located• Gain an understanding of who has access to it• Gain an understanding of how long it’s being retained• Retain personal data for a period of time directly related to the original intended purpose• Find risky files and take action• Manage a Subject Access Request

• Request a port of the data• Request a correction to the data• Request deletion of the data

Articles Contained in the GDPR

Summary

ScanR• Automate the process for discovering PII

• Quickly respond to “Subject Access Request” & “Right to be Forgotten”

• Comply with over 10 of the 99 Articles

Next Step

• Free trial up to 1,000 documents

www.termset.com

stewart@termset.com

Thank you

Speak to a member of the Vuzion team

if you’d like to know more!

Love Cloud GDPR

Coffee and Pastries

11:00-11:15

Love Cloud GDPR

Ronan McCurtin, Senior Sales Director Northern Europe

Acronis and GDPR

‒ Key activities

– Privacy impact assessment

– Data access governance

– Data breach notification / resolution

– Secure storage of active data

– Archiving and deleting

Where Acronis supports GDPR compliance

Acronis BackupAcronis Storage

Acronis Backup CloudAcronis Disaster Recovery

Service

Requirements for GDPR-compliant backup and storage 1

Requirement Desirable features GDPR recitals supported

Control data storage location • Reporting for compliance • 101: General principles for international data transfers

Encrypt data securely • Encryption on the device, in transit, and at rest

• 78: Appropriate technical and organizational measures• 83: Security of processing

Browse backups • Drill-down to easily find required data

• 63: Right of access• 65: Right of rectification and erasure

Modify personal data • Easy modification if requested by data subject

• 59 Procedures for the exercise of the rights of the data subjects• 63: Right of access• 64: Identity verification• 65: Right of rectification and erasure

Export data in a common format for easy data portability

• ZIP archive for easy portability • 68: Right of data portability

Recover data quickly • Acronis Instant Restore to deliver 15-second recover time objectives(RTOs)

• 78: Appropriate technical and organizational measures

Requirements for GDPR-compliant backup and storage 2

Requirement Desirable features GDPR recitals supported

Minimize compulsory data breach reporting

• Proactive prevention of malware damage to files• Specific protection of the Acronis Backup agent to

prevent data breach of backups

85: Notification obligation of breaches to supervisory authority86: Notification of data subjects in the case of data breaches87: Promptness of reporting / notification88: Format and procedures of the notification

Blockchain-based data certification

• Acronis Notary validation of the authenticity and integrity of backups

78: Appropriate technical and organizational measures

Backup retention, deletion • Flexible setting of retention time of data, archival rules, etc.

• Ability to delete backup at any moment

66: Right to be forgotten

Logs availability • Logging of operations with data 82: Record of processing activities [correct?]

Role-based access • Multilayered and highly customizable data access rights

63: Right of access [correct?]

Risk management control • Very flexible backup and Active Protection 84: Risk evaluation and impact assessment [correct?]

‒ Data subject control of data storage location– Individual must have final say as to where personal data is stored: on-

premises or in a specific EU-based data center

‒ Data encryption– Strong data encryption on-device, in transit and in the cloud

– And entirely automated encryption process, with the data subject as the sole holder of the decryption key, meeting GDPR data security requirements

What to look for in GDPR-compliant backup and storage

‒ Ability to search data inside backups– Ability to drill down through backups, making it easy to find

required information on behalf of data subjects

‒ Ability to modify personal data– Easy way to modify personal data if and when requested by data

subjects

What to look for in GDPR-compliant backup and storage

‒ Data export in a common format– Ability to export personal data in a common and easily usable

format (e.g., ZIP archives) to meet the GDPR data portability requirements

‒ Quick data recovery

What to look for in GDPR-compliant backup and storage

‒ Flexible setting of retention time of data, archival rules, etc.

‒ Extensive logging

‒Multilayered and highly customizable data access rights

How Acronis helps your company achieve GDPR compliance

‒ Active Protection against ransomware– Proactively preventing breaches is easier and more cost-effective

suffering breaches and doing the mandatory incident reporting

– Acronis Active Protection™ detects and blocks ransomware attacks and instantly restores any affected data

‒ Blockchain-based data certification– Acronis Notary™ provides immutable proof of the integrity of

protected data using blockchain technology

How Acronis helps your company achieve GDPR compliance

With an economic incentive to

it, new Ransomware families

appeared fast…

Source: F-Secure

Ransomware Big Trends

Advancing into new operating systems

Advancing into new platforms and devices

Ransomware-as-a-Service

Advanced attack techniques

Trend 4: Advanced attack techniques

2010

Detection of non-signed

files

2014

Protection for Windows only

2016

Detection by checking file type/header

2016

Detection of executable files

2016

Detection in running

Windows system

Malware signed by

stolen certificate

Injects into system

processes and acts on their

behalf

AttacksMac OS X and Linux

Only body of the file

is encrypted

Uses scripts and non-malicious

executables

Infects before Windows

starts

2014

Exclude know legitimate

system files

2017

Use of Backup to protect

against Ransomware

Attacks & Encrypts different

backup files

Next Generation Ransomware families targeting Backup software

Ransomware evolves…

… Data Protection evolves too

Acronis CustomersAcronis LabsInfected and clean

processes farms

Provides processes behavior data

Updated knowledge base

Acronis Learning Service

Acronis Cloud Brain

Model training, parameters optimization

You are protected even without Internet

Acronis Local Knowledge Base

Acronis Active Protection 2.0: Learning Infrastructure

Complete protection against modern techniques

2016

Detection by checking file type/header

Only body of the file

is encrypted

Entropy

measurement

2010

Detection of non-signed files

2014

Protection for Windows only

2016

Detection of executable files

2016

Detection in running Windows

system

Malware signed by stolen

certificate

Injects into system processes and acts on their

behalf

AttacksMac OS X and Linux

Uses scripts and non-malicious

executables

Infects before Windows starts

2014

Exclude know legitimate system

files

Checks for

injections in

system processes

(with Machine

Learning)

Protection

Windows, Mac

and Linux

Both executable

and scripts

detection

Pre-Boot anti-

ransomware

protection

Compromised

signatures

check

Acronis Active

ProtectionTM

2017

Use of Backup to protect against

Ransomware

Attacks & Encrypts different

backup files

Acronis Notary powered by BlockchainEnsuring that data is authentic and unchanged

“Acronis Notary assures that files are unchanged since they were backed up.”

Have confidence of data authenticity

•A public, secure Blockchainledger verifies the authenticity of files

•Backup enables the recovery of the original document

•Acronis Notary provides mathematical assurance that the contents of a file perfectly match the original contents that were backed up

Thank you

Speak to a member of the Vuzion team

if you’d like to know more!

Love Cloud GDPR

David Tweedale, Team Leader

Mimecast and GDPR

© 2017 Mimecast.com All rights reserved.62

Data ProtectionSecuring personal and sensitive information

Data ManagementData Protection

Anti Malware

Data Leak Prevention

EncryptionBreach

Notifications

© 2017 Mimecast.com All rights reserved.63

Spear-phishing credentials to exploit point-of-sale systems

Used as stepping stone

onto victims network

Compromisedpoint of sale

systems

Customer data stolen, including

credit card details

Large GDPR Fine and costs to

investigate and remediate

Access gained via spear-phishing

attack on a sub-contractor

© 2017 Mimecast.com All rights reserved.64

Type of attacks:

• Weaponised attachments

• Malicious URLs

• Malware-less attacks

• Ransomware

• Phishing

• Insiders

Key Strategies

• Multi Layered Approach

• User Awareness

• Advanced Threat Protection

• Logging and monitoring of internal user activities

• Protected, plan B email route and access

Malware can have a devastating impact on organizations contributing to significant GDPR fines related to data loss Anti Malware

Technology capabilities: Data protection

© 2017 Mimecast.com All rights reserved.65

Data leaked by disgruntled employee

Employee emails copy of client database to

personal mail account

Data collected by the company is

now compromised.

Customer sensitive data

leaked. GDPR fine imposed.

Disgruntled employee wants

to leave and cause damage to the

business

© 2017 Mimecast.com All rights reserved.66

Data Leak Prevention

(DLP)

Technology capabilities: Data protection

How is data leaving the organization?

• Internal department leakage

• Email attachments

• Shadow IT

Key Strategies

• Internal communications DLP

• Outbound mail inspection

• Corporate data sharing

• Secure messaging channel

Data Loss Protection (DLP) tools prevent inadvertent data breaches by blocking emails containing personal data

© 2017 Mimecast.com All rights reserved.67

Encryption

Technology capabilities: Data protection

Where is data encrypted?

• Data stored in applications

• Laptops/Mobile Devices?

• Email archives

Key Strategies

• Secure storage of data

• Secure transfer of data

• Secure data in transit

• Limit data on portable devices

Encryption of data in systems and applications reduces the potential impacts of a data breach

© 2017 Mimecast.com All rights reserved.68

Breach Notifications

Technology capabilities: Data protection

Key Information required?

• Analysis of breach

• Mitigate negative consequences

• Alert data protection officer

Key Strategies

• Gather data from Security Incident and Event Monitoring (SIEM) system

• Identify location of data breach

• Identify if personal data was leaked

• Mitigate negative effects

Organizations have 72 hours to notify relevant authorities once a data breach is discovered

© 2017 Mimecast.com All rights reserved.69

Data ManagementSupporting access rights of individuals

Data ManagementData Protection

Anti Malware

Data Leak Prevention

EncryptionBreach

NotificationsSearch and Discovery

Secure Repository

Chain of Custody

Access Control

© 2017 Mimecast.com All rights reserved.70

GDPR – Subject Access Request and Data Portability

IT Administrator searches across

data repositories

Results validated/reviewed

Secure transmission of

data to data subject

Data Subject requests access to

data stored on them

© 2017 Mimecast.com All rights reserved.71

Subject Access Requests (SAR)

Technology capabilities: Data management

What is the impact?

• Requests need to be handled quickly

• Accurate personal data and additional information

• Availability in electronic format

Key Strategies

• Locate requested personal information quickly

• Prepared response templates

• Employee training to handle SARs

• Self-service portal for SARs

Individuals have the right to obtain confirmation that their personal data is being processed

© 2017 Mimecast.com All rights reserved.72

Data Portability

Technology capabilities: Data management

What is the impact?

• Exports need to be timely

• Useable format

• Safe delivery of that export?

Key Strategies

• Data must be structured, searchable

• Exports to common formats

• Ensure the safe delivery of exported data

• Subject review and confirm data required

Individuals have the right to request an export of their data a format that can be given to another vendor or service

© 2017 Mimecast.com All rights reserved.73

GDPR – Right To Be Forgotten

IT Administrator searches across

data repositories

Time consuming Confirmation given that data is

erased

Data Subject requests all

personal data to be erased

© 2017 Mimecast.com All rights reserved.74

Right To Be Forgotten

Technology capabilities: Data management

What is the impact?

• Complete erasure

• Across all systems

• Unless overriding policy is in place

Key Strategies

• Data must be structured, searchable

• Dynamic data adjustments

• Retention management

• Auditable deletion

• Ability to review prior to deletion

Individuals have the right to request erasure of their personal data held by a data controller (subject to conditions)

© 2017 Mimecast.com All rights reserved.75

Mimecast SolutionSimplifying GDPR Compliance for Email

Data Management

Search and Discovery

Secure Repository

Chain of Custody

Access Control

Secure Messaging

Advanced Threat Security Mimecast Cloud Archive

DLP & Content Security APIRBAC &

Data GuardianLarge File Send

Mailbox Continuity

Archive Power ToolsSearch and Review

Data Protection

Anti Malware

Data Leak Prevention

EncryptionIncident

Management

Mime | OS

© 2017 Mimecast.com All rights reserved.76

You need technology that

provides the best possible multi-

layered protection

PREVENT

You need to control,

protect, find and

access data effectively

MANAGE

You need to sustain

compliance support

at all times

MAINTAIN

Email Cyber Resilience for GDPR

© 2017 Mimecast.com All rights reserved.77

Thank you

Speak to a member of the Vuzion team

if you’d like to know more!

Love Cloud GDPR

Jacqueline de Gernier, AVP Commercial Sales

DocuSign and GDPR

Getting to Grips with the GDPR: How to Fast-Track Your Compliance

Introduction to DocuSign

14+ Years InnovationHighest level certifications

188 Countries 43 Languages13 Offices 5 Continents

300k+ corporate customers200 million total users#1 Analyst rated

TrustLegal & ComplianceBank-Grade Security & EncryptionPlatform & Scalability

Capabilities & UsabilityMobileCustomer Success Programmes

Experience

The DocuSign DifferenceWhy customers choose DocuSign

Partners & IntegrationsGlobal #1 APIs

Choice

FinancialServices Insurance High Tech

Communications/Media Pharmaceutical Real Estate Consumer Everywhere

Sales

ExperienceSignificantly improved

Procurement

50x fasterContract signing

“It speeds up the process and makes it more compliant”

HR

10 minutesFastest contract returned

“DocuSign has revolutionised how we send out HR contracts at E.ON”

Customer Success

Use case Use case Use case

“Steps that previously took days through post now take minutes”

GDPR - Changes to Consent

Demanding requirements for consent

Under the GDPR, consent must be:

• Freely given

• Specific

• Informed

• Unambiguous

"Consent should be given by a clear affirmative act … such as by a written statement, including by electronic means, or an oral statement… Silence, pre-ticked boxes or

inactivity should not therefore constitute consent." (Recital 32)

Consent will often be required

When collecting an individual’s personal information relating to:

• Using an individuals sensitive personal information

• Sending an individual e-marketing

• Sharing an individual’s personal information with independent third parties

Consent must be verifiable

Businesses must be able to prove that it obtained the individual's consent, requiring businesses to maintain consent records that can be checked to verify:

1. That the individual has consented;

2. What they consented to, and;

3. When they consented

Individuals "shall have the right to withdraw his or her consent at any time… It shall be as easy to withdraw consent as to give consent." (Art 7(4))

Common consent challenges

• Marketing / Sales – Personal information for e-marketing purposes

• HR – Personal information for a job application or for the provision of employee benefits

• Healthcare – Personal information for the purpose of medical studies and clinical trials

• Online – Consenting to the use cookies and similar tracking technologies

Re-contracting with Suppliers

Business must ensure:

• Legacy vendors move to new, GDPR-compliant, data protection terms

• Future vendors are also signed up to GDPR-compliant terms

How DocuSign can be part of a GDPR Consent solution

Business

Consumers

Customers

Partners

Suppliers

EmployeesBusiness

DisconnectedSystems

ManualProcesses

Fragmented Policies

Consumers

Customers

Partners

Suppliers

EmployeesBusiness

Consumers

Customers

Partners

Suppliers

EmployeesBusiness

Digital consent

Bespoke reports for GDPR and the data can be extracted

Case Study: Filestream

Company’s Top Challenges

• Manual processes – contracts require manual chasing to fulfill terms and conditions• Not GDPR-ready – holding of personal data is not currently compliant with legislation• Inadequate security – Information sent over email is not as secure as it could be

Reasons for Choosing DocuSign

• Security standards – DocuSign meets and exceeds some of the most stringent US, EU, and global security standards

• Commitment to compliance – DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements

• Digitising process – digital signatures remove need to print and scan paper documents

The Key Benefits

• Quicker signing process – turnaround time is now 40 times faster • Customer consent – DocuSign’s tools are being utilised to be ready for new legislation

coming into force in May 2018 • Data protection – personal data is protected whenever a third-party comes in contact

with it

“I wouldn’t choose any other partner but DocuSign for ease

and security – Paul Day, Technical Director, Filestream

EXECUTIVE OVERVIEW TOP BENEFITS ACHIEVED

Company: Filestream

Headquarters: Berkshire, UK

Founded: 2003

Industry: Software

Website: www.filestreamsystems.co.uk

Partners: DocuSign

Use Case: Sales

ABOUT

45 minutesContract turnaround

time

40 x fasterQuicker signing

experience

GDPR-readyDocuSign tools being used for compliance

Thank youEmail: Jacqueline.degernier@docusign.com

GDPR Seminar – 9th Nov5pm – 7pm

ETC Venues, Fenchurch Street

discover.docusign.co.uk/best-practices-for-gdpr

Love Cloud GDPR

Host - Caroline Wigley (Vuzion), Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft),

Rowland Dexter (QGate)

Panel Interview

Love Cloud GDPR

Closing Thoughts

Process track

Technical track

---------------------Define the

requirement

Create the

plan

The Partner Opportunity

GDPR Webinars

GDPR Workshops

GDPR Healthcheck

GDPR Assessments

Implementation Clinics

Annuity Services

Thank you

to

our presenters

Thank you

for attending

Love Cloud GDPR

Speak to a member of the Vuzion team

if you’d like any further information about GDPR!